Date: Wed, 18 Dec 1996 08:00:23 -0500 (EST) From: Charles Owens <owensc@enc.edu> To: sos@freebsd.org Cc: Luigi Rizzo <luigi@labinfo.iet.unipi.it>, julian@whistle.com, wangel@wgrobez1.remote.louisville.edu, dnex@access.digex.net, current@freebsd.org, stable@freebsd.org Subject: Re: IP masquerading (for a LAN, _not_ PPP) Message-ID: <Pine.FBS.3.93.961218075050.13422A-100000@dingo.its.enc.edu> In-Reply-To: <199612170844.JAA18610@ravenock.cybercity.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 17 Dec 1996 sos@freebsd.org wrote:
> In reply to Luigi Rizzo who wrote:
> > > FreeBSD 2.2 includes the feature "DIVERT SOCKETS"
> > > these can be used in conjunction with the ipfw code to
> > > create a translation feature.
> > >
> > > Use the 'divert' keyword with the Ipfw to divert a packet to
> > > a 'divert socket' that is openned by the translation daemon.
> > > the daemon monitors incoming packets and 'fiddles' the headers
> > > accordingly.
> >
> > isn't it a bit expensive ? I mean, do all the packet go to userland
> > where the daemon modifies them and then back to the kernel ? If this is
> > the situation, it sounds like a significant overhead per packet, so you
> > only want to do it at the slow side of a router.
>
> Exactly, thats why I did it in the kernel :)
> I've mesured the overhead long ago when I started this, and on my
> rusty old 25Mhz 386SX this works just dandy with 10MBps and
> multiple connections with kernel resident code. I tried a
> couple of simple attempts on a userland implementation, but
> it bailed out on ~100Kbps...
> (And for those wanting it, its not releasable, sorry)
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Søren Schmidt (sos@FreeBSD.org) FreeBSD Core Team
> Even more code to hack -- will it ever end
Ok... help me out here: the 'ipfilter' package is _not_ a userland
implementation, right? (just trying to put all of the pieces to gether
here...)
Why do some folks consider the DIVERT sockets with userland daemon
approach better than other existing options, such as ipfilter? Or, more
directly, why might I not want to user ipfilter to build a firewall for a
large (hundreds of users) LAN? (pssst... not trying to start a war here)
I'm trying to discern which of the available options makes the most sense
for me... at this instant ipfilter seems the best bet --- feature rich and
good performance (I'm assuming... by virtue of it's kernel
implementation... any testimonials?). I'd use the ipfw package but I
really need NAT.
If this should be moved out of -stable and -current then... sorry... :-)
Thanks,
---
-------------------------------------------------------------------------
Charles Owens Email: owensc@enc.edu
"I read somewhere to learn is to
Information Technology Services remember... and I've learned that
Eastern Nazarene College we've all forgot..." - King's X
-------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.FBS.3.93.961218075050.13422A-100000>